Black Code: Inside the Battle for Cyberspace (22 page)

Eugene Kaspersky is the CEO
of the Russian-based malware and cyber-security research laboratory that bears his name, Kaspersky Lab. An outspoken, controversial, and sometimes flamboyant figure in the computer security industry, Kaspersky attracted wide public attention in 2011 when his twenty-year-old son, Ivan, was kidnapped by people suspected of having ties to the Russian mafia. Ivan was quickly rescued by Russian security forces, and Kaspersky claimed no ransom had been paid ($4.5 million had been demanded). The incident led to considerable speculation. Russian secret forces do not typically intervene in kidnappings involving average citizens, but Kaspersky is no average Russian and many believe that he made a deal with authorities to gain the release of his son, which Kaspersky vehemently denies.

I first encountered Kaspersky at the London Conference on Cyberspace in November 2011. Organized by the British Foreign and Commonwealth Office, the conference was meant to be a major “rules of the road” meeting of great powers on the future of cyberspace and Kaspersky was among several high-profile speakers. The conference itself was poorly organized and produced no tangible results, but Kaspersky certainly made for good theatre.

Taking his turn at the podium, Kaspersky addressed the buttoned-down crowd. His tie askew, suit threadbare, and hair wild and unruly, he began with a finger-wagging admonition: “I
am glad to see that people are finally taking this issue seriously. I have been warning about it for decades. If you had listened to me, and took me seriously, all those years ago.”

After this stark beginning, Kaspersky segued into a more disturbing aspect of his lecture, a series of statements that left many in the assembled crowd squirming, me among them.
Kaspersky is concerned about anonymity online, and that too many people are getting away with Internet crime because they can hide their tracks. He believes we need to institute the cyber equivalent of the passport or driver’s licence. We do not allow people to drive cars without a licence, Kaspersky asserted, so why should we let them browse the Internet unchecked, unregulated? And then he went even further, suggesting that Russia should be regarded as a model for the rest of the world when it comes to Internet governance.

Russia? The model for the rest of the world!

Grumbling started at the back of the room and rippled forward. There were grimaces everywhere, especially among our British hosts, but there were also some vigorous nods of approval from law-and-order types, most of them sporting the dark blue suits and very short haircuts that are the uniform of the defence and intelligence community.

In fact, somewhat under the radar, Russia
has
indeed created a model for cyberspace governance for other autocratic regimes to follow. The Russian Internet, known locally as RUNET, accomplishes controls not through Internet censorship per se, which has been applied only selectively in the past and even then mostly around specific content categories, like homoerotic pornography. Instead, Russian authorities rely on more sophisticated, but also more brutal methods – intimidation, public discrediting, surveillance, and symbolic arrests – while also meddling in organized crime and employing patriotic hackers to muddy attribution. Unfortunately these tactics have proven attractive to a growing number of autocratic
regimes looking to control information and digital activism. Russia, the model for the rest of the world? Maybe, if what we have in mind for the future of cyberspace is a
Blade Runner
dystopia.

Kaspersky raised another ominous possibility, telling
Sky News
at the London conference: “We are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists, and then … oh, God.”

Cyber terrorism
. The phrase points to a sense of heightened anxiety that has pervaded talk of cyber security since 9/11 : the view that those hideous events represented a failure (at least in part) of Internet surveillance; that had control been tightened over digital communications the perpetrators might have been identified before they were able to execute their plan. But raising the spectre of cyber terrorism can also get a person discredited as a Cassandra.

In this respect, Kaspersky is the Russian equivalent of Richard A. Clarke,
the former U.S. counterterrorism czar. Like Kaspersky, Clarke is famously outspoken, and both believe they were onto something long before anyone else. (Notably, Clarke warned his superiors about the threat of al-Qaeda targeting the United States prior to 9/11.) Like Kaspersky, he is often dismissed as an alarmist, seen by many as simply a rhetorical bomb-thrower. Clarke may not have been the first to employ the phrase “electronic Pearl Harbor” – it was John Deutch, the former CIA director, back in 1996 describing the prospect of terrorists using the Internet to launch a surprise attack – but he uses it liberally, as do many U.S. defence industry lobbyists. Indeed, the phrase continues to be repeated like a mantra in Washington. But if people like Clarke have been warning of a catastrophic electronic Pearl Harbor for decades, why hasn’t it happened? Surely it is not for lack of people with grievances and access to computers?

The truth is that such extreme scenarios are unlikely for a number of reasons. The Internet (and cyberspace as a whole) is resilient
precisely because governance over it is so distributed, and routing of network traffic across the Internet was designed from the outset to take multiple potential paths in the event of a failure of any one of them. The flip side, however, is that as cyberspace expands and embeds itself in more and more of everything we do, the chances of a cascading failure having catastrophic repercussions become considerable. In other words, it also seems unlikely that nothing bad will happen.

•  •  •

In June 2012
,
Kaspersky was back in the news, his company announcing that it had found a major cyber weapon called Flame. Better described as a tool of espionage than a weapon, Flame did not damage computers, but instead siphoned off massive volumes of information in a manner similar to GhostNet.

While technical experts pored over the data, some argued that there could be underlying political processes at work in the Flame revelations. Kaspersky’s organization was given the Flame virus to examine by a Malaysia-based organization called IMPACT (the International Multilateral Partnership Against Cyber Threats), a public–private cyber security alliance set up in 2008 by the International Telecommunication Union (ITU). Founded in the late nineteenth century to enable governments to coordinate international postal and telegraphic traffic, the
ITU is the world’s oldest international organization, and its membership over the years has been almost entirely composed of state-owned telecommunications companies. (Some view it as a telecom cartel for just this reason. State-run telecommunications companies use the ITU to set long-distance telephone rates, a highly profitable source of government revenue.)

The ITU missed the boat on the Internet, however, which was developed largely outside the telecommunications sector and
governed by engineers through an independent non-profit, the Internet Corporation for Assigned Names and Numbers (ICANN), under contract to the U.S. Department of Commerce. Over the past twenty years or so, as the Internet has grown enormously in importance, the ITU has tried to claw its way into Internet governance, a move at times fiercely resisted by those partial to the Internet’s non-state system of governance. Nonetheless, the persistent threat posed by cyber weapons and warfare lend credibility to the involvement of ITU and IMPACT in cyber security and governance. Interestingly, Russia, China, and other governments fully support this involvement, seeing more UN– and ITU-based control as a way to legitimize their own vision of a territorially bounded system of global communications governance that aligns with national sovereignty. In 2011, for example, Russia, China, Tajikistan, and Uzbekistan
proposed a “code of conduct” for cyberspace at the UN General Assembly, and Russia and China have been vocal proponents of a view of cyberspace governance that gives prominence to state controls over the Internet, and state organs power in the decision-making forums that set the rules of the road. Could the sharing of the Flame virus with Kaspersky’s group by the ITU and IMPACT, and his trumpeting about finding a giant cyber weapon, be part of an overall campaign to lend support to the Russian and Chinese preferences for cyberspace governance?

The possible
connections between Flame and another devastating cyber weapon, Stuxnet, fanned the flames of these suspicions. Stuxnet was discovered in 2010, and had been connected to devastating setbacks at Iranian nuclear enrichment facilities. In May 2012, when Kaspersky first made the announcement of the Flame discovery, he speculated that it belonged to the same family of malicious software as Stuxnet, and just about everyone who examined the case believed either the United States or Israel (or both acting together) were involved in its production. Only four days after Kaspersky’s discovery
of Flame, an explosive
New York Times
exclusive by journalist David E. Sanger all but confirmed those suspicions. Adding to the intrigue was the fact that the majority of the victims targeted by the Flame virus were in the Middle East, with most of them in Iran, and that later Kaspersky Lab claimed to have found an authorship link between a 2009 version of Stuxnet and Flame, a claim independently backed up by the security firm Symantec, and then by a supposed U.S. intelligence insider, who leaked the story to the
Washington Post
. As Roel Schouwenberg of Kaspersky Lab theorized: “I think this new discovery shows that the Stuxnet team used Flame code to effectively kick-start their project. I definitely think they are two separate teams, but we do believe they are two parallel projects commissioned by the same entities.”

At the very moment that Russia, China, and their allies are pushing for greater international controls over cyberspace, their primary adversary, the U.S. and its ally Israel not only engage in but appear to tacitly acknowledge their responsibility for the world’s first act of cyber sabotage against a critical infrastructure facility. As former NSA Director Michael Hayden remarked, “Somebody crossed the Rubicon.” The age of cyber warfare is finally upon us.

News of Stuxnet first emerged
in June 2010 when it was identified by a small Belarus security company, VirusBlokAda. Later, the German researcher Ralph Langner undertook
a detailed “decoding” of the virus and helped determine that its target was the specific type of Siemens-produced equipment used at the Iranian Natanz nuclear facility. Speculation quickly grew that the Israelis and/or Americans were behind Stuxnet. Who else could disrupt Iranian nuclear enrichment plants with such stealth and precision? Either the Americans or Israelis, or both acting together, most assumed, and there was growing circumstantial evidence.

The Israelis are generally coy about their military prowess and secretive about their hardware (e.g., their nuclear weapons arsenal). Was it just a slip of the tongue at the retirement party for Lieutenant General Gabi Ashkenazi, the former head of the Israel Defense Forces, when celebrants appeared to claim Stuxnet as one of his major successes? (There was even an hilarious Israeli commercial done for a cable TV company showing what appears to be three bumbling Mossad agents undercover as hijab-wearing women in Iran blowing up a centrifuge after accidentally pressing a button on a Samsung tablet.) American officials also spilled some beans. In December 2010, Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, Security and Arms Control, told the Foundation for Defense of
Democracies in Washington: “We’re glad they are having trouble with their centrifuge machine and that we, the U.S. and its allies, are doing everything we can to make sure that we complicate matters for them.”

The leaks and speculations on authorship obscure a more important point: the formidable weapon itself and the precedent it sets. A June 2012
New York Times
article by David E. Sanger describes
the planning and operational process behind the Stuxnet virus -how it began under President Bush as “Operation Olympic Games” (OOG), and was passed on to the Obama administration. Upon leaving office, Bush pressed Obama to continue the program, and Sanger describes Obama as being enthusiastic about it, even pushing forward with OOG despite errors in the coding that led to the virus spilling out beyond the Iranian targets to computers in other countries, and from there to the Belarus security firm.

The attack was planned and tested on a dummy Iranian nuclear enrichment plant, a fake target built from scratch in the United States. The
New York Times
reported that in early 2008 Siemens co-operated with the Idaho National Laboratory (part of the U.S. Department of Energy) to identify the vulnerabilities of Siemens computer controls used to operate industrial machinery around the world. From intelligence gathered by the Americans, it was known that Siemens equipment was being used in Iran’s enrichment facilities. Around the same time, the Department of Homeland Security teamed up with the same Idaho lab to study a widely used Siemens control system known as PCS-7. The vulnerability of PCS-7 to cyber attack had been an open secret since Siemens and the Idaho National Lab outlined at a conference in July 2008
the kinds of manoeuvres that could exploit holes in its systems to meet a number of goals, including gaining remote control. Meanwhile, the Israelis started to experiment on an industrial sabotage protocol based on a mockup they had designed of Iran’s enrichment program.

The
code behind Stuxnet was far larger than a typical worm, considerably more detailed, and it contained some brilliantly crafted and highly suggestive elements, including clues as to Israel’s direct involvement. Symantec researcher Liam Ó Murchú noted that his company had uncovered a reference to
an obscure date in the worm’s code: May 9, 1979, the day, shortly after the Iranian Revolution, when a prominent member of the Iranian Jewish community, Habib Elghanian, became the first Jew executed by the new Islamic government. Berlin-based security expert Felix Lindner then found that all manually written functions in Stuxnet’s payload bore the time stamp “September 24, 2007,” the day President Mahmoud Ahmadinejad first publicly questioned whether the Holocaust took place, during a speech at New York’s Columbia University. Lindner found a file inside the code named Myrtus, and speculated this could be a reference to the Book of Esther, an Old Testament story where the Jews pre-empt a Persian plot to destroy them. It is hard to believe the Israelis would unwittingly leave such tell-tale signs of their involvement in Stuxnet; much more likely they show a deliberate intention to drop coy admissions of prowess.